What You Need to Know About Cybersecurity Ratings

What Are Security Ratings?

Security ratings are metrics used by a number of different companies to quantify businesses’ cyber risk. As security ratings continue to mature, more organizations in the public and private sectors leverage ratings to make business and risk decisions.  Because of the increased interest in security ratings, the US Chamber of Commerce has some recommendations for industry-wide approaches to increase the public confidence in them:

  • Promote quality and accuracy in the production of security ratings·
  • Promote fairness in reporting·
  • Include a coordinated process for adjudicating errors or inaccuracies in reported content·
  • Establish guidelines for appropriate use and disclosure of the scores and ratings

Some Issues Associated With Security Ratings

The general purpose for these guidelines is to provide security ratings that are as trustworthy and well-known as the current system of credit ratings. This is a worthy goal, but the cyber security sector just isn’t there yet. The meaning of a specific security rating can be hard to pin down, as it depends on the company’s data set as well as the methodologies they apply to those data sets.

Where Do Security Ratings Fail?

Security ratings may be incorrect, for a couple of reasons:

  • Ratings that use external data can be very vulnerable to tweaking the rating system to the favor of the business. That is, companies can make small changes that only affect their score, and don’t address the underlying security issues.
  • Ratings that use internal verticals can be years out of date.

The Only True Use of a Security Rating is Comparison and Tracking

Compare the relative security of your assets and/or your suppliers to each other.  Track the progress you’ve made.  Getting the most accurate security rating is predicated on having a recent internal cyber security assessment.

The SecurityGate Security Risk and Compliance Management Platform automates this process, giving you access to your company’s milestone progress to cyber security compliance, as well as all your suppliers and vendors.  You can then quickly isolate your security issues with the most up-to-date information.

References:

https://www.uschamber.com/issue-brief/principles-fair-and-accurate-security-ratings